-
Notifications
You must be signed in to change notification settings - Fork 773
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeflow on kubernetes: existing_arrikto: add instructions for connecting with LDAP/AD #898
kubeflow on kubernetes: existing_arrikto: add instructions for connecting with LDAP/AD #898
Conversation
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
/assign |
Fixes #901 |
@yanniszark Would you like this fix to be considered part of the Kubeflow Doc Sprint? If so, it's not too late to register for the doc sprint. :) Details, including the registration link, are on the wiki: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this update! I've requested a few changes to improve readability and usability.
As you saw in the overview, we use [Dex](https://github.com/dexidp/dex) for providing user authentication. | ||
Dex supports several authentication methods: | ||
|
||
* Static Users (what we used so far) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended wording:
Static users, as described above
|
||
* Static Users (what we used so far) | ||
* LDAP / Active Directory | ||
* External IdP (eg Google, LinkedIn, Github, ...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some tech writing best practices:
- Since this is the first time you're using the abbreviation "IdP", you should spell it out in full first so people don't have to look it up.
- Replace "eg" with "for example,". The reason is that many people confuse "e.g." and "i.e.", and abbreviations like "eg" can be confusing for people whose first language is other than English.
- For "Google" (and maybe for other providers in the list?) do we need to say which of the providedc auth mechanisms we're referring to?
- Capitalization: "GitHub".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the advice, fixed accordingly.
For "Google" (and maybe for other providers in the list?) do we need to say which of the providedc auth mechanisms we're referring to?
Dex doesn't specify explicitly, so I think it's better for users to check out Dex's documentation.
|
||
This section focuses on setting up Dex to authenticate with an existing LDAP database. | ||
|
||
1. **[OPTIONAL]** If you don't have an LDAP database, you can set up one following these instructions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change the square brackets to round brackets (parentheses), as square brackets usually indicate some coding convention or other. Also, it's not necessary to use caps as well as bold text - it may seem over-emphatic to the reader:
***(Optional)***
|
||
This section focuses on setting up Dex to authenticate with an existing LDAP database. | ||
|
||
1. **[OPTIONAL]** If you don't have an LDAP database, you can set up one following these instructions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Word order (it's tricky :) ) - change "set up one" to "set one up".
|
||
```bash | ||
kubectl exec -it -n kubeflow ldap-0 -- bash | ||
ldapadd -x -D "cn=admin,dc=arrikto,dc=com" -W |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checking: Is the use of arrikto
here intentional (that is, all users must use this value) or is it just an example?
The same comment applies to line 289 above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the example configuration we demoed in the community meeting.
It's an example of what an LDAP config would look like for Arrikto.
It's tested and confirmed to work.
Of course, users can substitute any values they want or use an already existing LDAP user schema.
|
||
</details> | ||
|
||
2. To use your LDAP/AD server with Dex, you have to edit the Dex config.To edit the ConfigMap containing the Dex config, run: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change "run" to "follow these steps" - because the reader expects a command to follow the word "run", but instead comes across some steps with text.
|
||
# The attribute to display in the provided password prompt. If unset, will | ||
# display "Username" | ||
usernamePrompt: Arrikto username |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment about the use of "Arrikto" in this section - is it just an example, or is it required because the user is using Arrikto software?
# Required field for connector name. | ||
name: LDAP | ||
config: | ||
# Host and optional port of the LDAP server in the form "host:port". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These comments within the config file are great. If possible, it would be good to have similar comments in the LDAP setup files above, explaining the use of usernames, etc. See my previous comment about providing example names.
{{< /highlight >}} | ||
|
||
1. Restart the Dex deployment, by doing one of the following: | ||
* Force recreation, by deleting the Dex deployment's Pod(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we give an idea of what the Pod names are or look like, and a sample command for deleting them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course.
I should give more information here.
|
||
1. Restart the Dex deployment, by doing one of the following: | ||
* Force recreation, by deleting the Dex deployment's Pod(s). | ||
* Trigger a rolling update, by adding/updating a label on the PodTemplate of the Dex deployment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we explain how to add/update a label, or link to docs that explain the process?
@sarahmaddox of course, I'd love to participate. In addition, thanks for all the comments! I will take another pass asap. |
Is this tutorial aimed at just on-prem clusters, or is this meant to be a generic platform-agnostic guide? Who is the target user? We're in the process of re-organizing the getting started section, and we're not entirely sure where this should be categorized |
Hi @dansanche . That being said, the only requirement is a Kubernetes Cluster so it will work for any existing cluster. |
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
@sarahmaddox thanks for all the feedback. |
Nice! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sarahmaddox The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR extends the documentation on existing_arrikto and adds instructions for connecting with LDAP/AD
cc @sarahmaddox
Signed-off-by: Yannis Zarkadas yanniszark@arrikto.com
This change is